Krebs on Security

In-depth security news and investigation

IRS: Crooks Stole Data on 100K Taxpayers Via ‘Get Transcript’ Feature

In March 2015, KrebsOnSecurity broke the news that identity thieves engaged in filing fraudulent tax refund requests with the Internal Revenue Service (IRS) were using the IRS’s own Web site to obtain taxpayer data needed to complete the phony requests. Today, IRS Commissioner John Koskinen acknowledged that crooks used this feature to pull sensitive data on more than 100,000 taxpayers this year.

That March story — Sign Up at IRS.gov Before Crooks Do It For You — tracked the nightmarish story of Michael Kasper, one of millions of Americans victimized by tax refund fraud each year. When Kasper tried to get a transcript of the fraudulent return using the “Get Transcript” function on IRS.gov, he learned that someone had already registered through the IRS’s site using his Social Security number and an unknown email address.

Koskinen was quoted today in an Associated Press story saying the IRS was alerted to the thieves when technicians noticed an increase in the number of taxpayers seeking transcripts. The story noted that the IRS said they targeted the system from February to mid-May, and that the service has been temporarily shut down. Prior to that shutdown, the IRS estimates that thieves used the data to steal up to $50 million in fraudulent refunds.

“In all, about 200,000 attempts were made from questionable email domains, with more than 100,000 of those attempts successfully clearing authentication hurdles,” the IRS said in a statement. “During this filing season, taxpayers successfully and safely downloaded a total of approximately 23 million transcripts.”

SCOURGE AT THE STATE LEVEL

The Government Accountability Office (GAO) estimates that thieves steal nearly $6 billion from state and federal coffers last year via tax refund fraud. This year, fraudsters changed their tactics, leading to a huge spike in attempted fraudulent refund requests — particularly at the state level.

Earlier this week, I had an opportunity to interview John Valentine, chair of the Utah State Tax Commission. Valentine said this year his state saw a tenfold increase in suspicious tax refund filings, and that most of that increase was the result of a type of tax fraud the state had never seen before.

“This was unique, where someone clearly had the information from the prior year’s tax return,” Valentine said. “That different significantly from the way the return comes across if it’s just ID theft. If you have the prior year’s return, you have the names of children, their Social Security numbers and other data you don’t often times get with ID theft.”

These suspicious returns all had the filing status exactly the same [as the year prior], the number of exemptions exactly the same….you even got spelling errors on addresses and names, so that the same errors that occurred in the 2013 return occurred in the fraudulent 2014 return,” Valentine explained. “That’s what told us we were dealing with a different kind of fraud, especially since the extent of the fraud was ten times the amount of fraud we’d seen in the past.”

Valentine said he believes most of that increase was due to lax authentication and security at third-party tax preparation firms (TurboTax, for example). Based on numerous stories about poor authentication and virtually nonexistent “know-your-customer” procedures at TurboTax, I’ve no doubt the nation’s leading tax preparation firm contributed considerably to the spike. But that same data that Valentine references also could be had by pulling taxpayer data from the IRS’s site, which until very recently offered the full previous year’s W2 information on taxpayers.

Stay tuned over the next week for more in-depth stories and interviews about how the states are grappling with tax return fraud, and the changes they are seeking to the status quo.

58 comments

The Internal Revenue Service should have implemented identity theft protection on all social security numbers used for tax filings years ago, instead of forcing people into paying for a third party service after fraud happens.

Either the authentication process was not that deep (number of security questions) or this is a hard breach. I just don’t see over 100,000 requests being successful if there were numerous security questions with obsecure answers.

I remember the story: Sign Up at IRS.gov Before Crooks Do It For You. Unfortunately, the morons at the IRS shutdown the sign up to stop the fraud. I tried but eventually gave up. Now the story is resurrecting itself again. I see they will offer 1 year of credit monitoring if you have been compromised. They sure are a quick study at the US GOV. I have not been compromised, no thanks to the IRS, but with their incompetence it should not take much longer…

Let’s hope that the spike was because of Brian’s “Sign Up at IRS.gov Before Crooks Do It For You” article.

I know I followed his advice; it was shockingly easy. I still can’t believe they delegated the Q&A to a credit report agency, instead of just asking for last year’s Adjusted Gross Income, or something like that.

Wondering if the IRS is now going to contact me to tell me that my information may have been stolen…

Not true at all: tax transcripts are often needed to apply for loans or government benefits. In this situation you know exactly what your tax return says, but you need the tax transcript to satisfy the paperwork requirements of the other party.

Perhaps if the social security number was used only for the purpose for which it was intended, some fraud(s) would be limited. Having one number for so many uses/places makes it easy for the “bad” guys.

This year was the last straw for Intuit software. I deleted it all — Quicken, Turbotax — after Intuit made you upload your sensitive, private financial information to Intuit’s servers just to create a PDF of your return.

“You may save your return as a PDF file and understand it may be processed on Intuit servers, not as part of the Software.”

Strange that your username is a competitor of Intuit called H&R Block.

Did you know that company outsources some of their clients’ tax return work to India ?

This site brags about it (proceed at your own risk)
hxxp://www.outsource2india.com/financial/hr-block-tax-cut-processing.asp

And have you heard of the enormous number of scammer calls posted on various telephone-number-report websites, where the poster says the person who called had a strong accent that made them sound like a person in India? And the calls were threatening the poster with arrest by the IRS?

True enough, using weak things that people ‘know’ such as SSN, mother’s maiden name, birthdate as authenticators is way past obsolete. Perhaps legislators can explicitly enact rules that such methods are inadequate as means to authenticate people for any financial or legal matter.

The question becomes what options should the IRS and other organizations require as standards?

Every tax return I have filed requires my telephone number – sounds like one option. Using SMS could be another based on uncontested returns.

Credit card authentication could be used as banks do a fair job managing them along with a hold on funds this could minimize fraud.

Mechanisms like ApplePay authentication could be used as well and reduce even further.

Until 2009 you could use a personal certificate service such as Thawte Web of Trust to issue strongly authenticated X.509 certificates. We used notaries and strong credentials to issue certificates.

More forward thinking might include a DNA ‘fingerprint’ entrusted to any of a number of independent and trusted certificate authorities to issue digital credentials.

In Australia it is necessary to provide authentication from the previous year’s Notice of Assessment before you can file this year’s. The NoA arrived via snail mail and you may be asked for the date of the notice, their reference number, a $ amount on the letter etc etc.
Too easy for the IRS to do something similar?

Remember, we have over 300,000,000 people in the USA. That’s more than 12 times as many people as Australia.

This means a lot of IRS mail never gets delivered because the recipients can’t be found. And some IRS mail has DO NOT FORWARD on the envelopes.

Australia has less than 24 million people. For comparison, the second-most-populated state in the US is Texas with more than 28 million, and an unknown millions of illegal aliens from countries south of the Rio Grande. And the people who control the state government do not want any state income tax on its residents.

I doubt the IRS has 12 x the number of employees of Australia’s. The best numbers I can find online are ~ 22,000 for ATO and ~ 90,000 for the IRS, probably less thanks to the anti tax collection Tea Partiers in the House.

I should note that people moving around is not a problem at all. When you file your taxes online in Australia it takes about 2 weeks to get your Assessment notice which is what you have to quote next year. I’m sure you would know when you filed if you were going to move in the next 2 weeks. Moving after that is irrelevant.

Ok, Australia has less people them USA…. let’s compare with Brazil them. There, the “receita federal” created a software (Java based, include a local load of past filled reports and save as local PDF) to fill the tax. There is no other option, and you can only use their owned one. Refunds are only to bank accounts in your name and/or by check to be issued in one specific bank, attached to the government. Probably not a perfect system, but the authentications, channel encryption and server database is protected… Just another example that contains a considerable number of users if this is the problem.

The IRS does have the Identity Protection PIN program. Once a taxpayer gets set up for this program, each year they mail a letter with a PIN number that goes on the tax return. After the PIN has been issued, they will not accept tax returns without it.

@Gnecht, I was affected by federal income tax fraud this year. I was able to get help from the Taxpayer Advocate System to get my refund in about 3 months, rather than the SIX months the IRS would have subjected me to otherwise. But what was interesting is that the Taxpayer Advocate recommended I file by paper for the next 3 years. When I asked whether I couldn’t just apply for the Identity Protection PIN program, the Advocate told me that PIN almost always caused problems when eFiling, and hung up the eFile attempt. The recommendation was to send the paper return for the next 3 years. The IRS itself is SO haphazard and incompetent at this time it is beyond ridiculous.

There are ways to write up tax returns to show refunds regardless what someone’s actual situation is. And, the IRS does not have time – and maybe not even the ability – to verify the information before it is required to issue the refund.

@Slackjaw — the ability of thieves to obtain a refund in your name has nothing to do with whether you owe the IRS money or the other way around. The thieves are just pretending to be you and lying to the IRS that you’re due a refund. When you go to file your taxes (refund or no), you get notified that someone has already filed for you. But you still have to file your real taxes, so this doesn’t help you at all.

My son, after hours on the phone over a few days was told that yes he was a victim of identity theft at the IRS, that he was on the task force list who had six months to reply, would probably take that long, and that further information from him (he is still getting requests about questions, forms, requests he didn’t make) would be futile so don’t bother. It is being taken care of! Money was given the thief, but his large refund is in limbo with all inquiries refused. TurboTax is where his troubles started.
Additionally he got questions from Social Security about questions and forms he had not requested. When contacting the local office he was told it was just an error, not to worry, and do not register until he is 65. Hard to believe, but true.

I recall a number of years ago as a UK resident with US Stock Options administered by Mellon.
When I came to access the new VR system I had to enter an SSN, which I didn’t formally have. My paperwork said my SSN was 000-00-0000.
I entered that into the system, and was told there were 9 accounts that matched, and would I scroll through and identify which was mine based purely on the USD balance of the account.
Rather traumatic as the first 3 offered were $0 – $0 – $0. I moved the account quite quickly.

Just another reason that you should not get a tax refund. Besides the fact that you are losing time value of money and giving a free loan to the government you risk having your rightful money returned to you. Its rather beyond me as to why people want to get a refund which only hurts them. On the actual security side, if you were provided a two factor PIN number that was ONLY used to file taxes in combination with your government ID number (SSN) then that would cut down on the fraud. The problem is our government and corporations insist on using SSN as an identification number instead of a way to file taxes.

There are things called “refundable credits” that generate refunds even if no tax is due. The Earned Income Credit is probably the best-known and most problematic for fraud. (Think of it as a negative tax for low income people – “Thank you so much for getting a job instead of being on welfare!”) Just fill out tax forms a certain way, and the IRS will give a refund. What could possibly go wrong?

The Earned Income Credit’s 24% improper payment rate is happening even after the IRS made tax preparers be social workers by requiring Form 8867 Paid Preparer’s Earned Income Credit Checklist. (http://www.irs.gov/pub/irs-pdf/f8867.pdf)

>>>The IRS emphasizes this incident involves one application involving transcripts — it does not involve other IRS systems, such as our core taxpayer accounts or other applications, such as Where’s My Refund.<<<

Does this mean that if you did not have a Get Transcript account that your data was not accessed?

The IRS is far too lax in issuing refunds anyway. This is the first place they should look to close the spigot. to request a refund is one thing, to actually send it without first being sure and I don’t mean by Internet available security information is quite another. If they were running a business they’d go bankrupt.

One thing I haven’t seen in this or the wire service stories: has the IRA actually notified the (real) taxpayers whose identities have been stolen? Has it instituted any way for them better to secure their tax return data?

When the IRS registers a new user on their site, they should be sending a confirmation to the address of record of the user to inform him/her that an account has been registered in his/her name. This is a requirement of NIST SP 800-63-2. Are they doing this?

Actually it is not required, if only that these are guidelines and not requirements itself. NIST SP 800-63-2 only serves as a basis of actual requirements but has no ‘law’ itself.

But specifcially the section on Authentication Process does not even mention it, let alone mandate a post-verification.

But I would of course agree that such a step would have been very smart. The IRS does use it for other parts of their systems, but I guess the volume of teh amount of requests (25 milion) made them not apply it here.

it has been suggested long ago to scrap the concept of the credit bureau. In Europe they don’t have them. Your health benefit ID number is only good for medical care, it has no financial use. You have to set up a one on one relationship with all financial institutions. If you appear on any type of credit report, it means you are a deadbeat, so a thief would be an idiot to use that information.

Too bad the owners of the system don’t pay the cost of the fraud in the US.

Europe also has credit bureaus. They are less used though indeed but not paying your mortage, loan or in some countries phone bills gets you a bad record with private (yes, private!) organisations that act like our credit bureaus. And that will in turn make you less likely to get a mortage, credit card, etc

Also note that, on the flip side of course, having no credit bureaus means one would have to submit much more data with every creditcard application or load request.

Per recent and numerous news articles, the IRS is currently running Windows XP on more than 50% of their approximately 110,000 computers and servers. Microsoft has purportedly advised them numerous times about this practice. Their ‘malware’ has also been reported to not have been up-dated for several years.

I suspect there is not an intelligent reason for their lack of computer and security awareness.

CCN report indicates this is tied to Russia. Does anyone know how? And, are we assume this is Russian cybercrime or something more sophisticated?

Also – Krebs, your article suggests folks using Turbo Tax were likely the largest type of victim. What is the working theory on how this adversary grabbed the information required to file the bogus claims?

I don’t know about any ties to Russia. There are plenty of crooks here in the USA doing this type of fraud. Increasingly, it seems the biggest group of fraudsters conducting tax fraud are out of Nigeria.

I’ve been saying this for years to whoever will listen, but the raw ingredients needed to file someone’s taxes are available for sale in the underground very cheaply, probably less than the cost of a McDonald’s happy meal per person.